Thanks Jeff. Please see inline.
On Mon, Jan 14, 2013 at 5:24 PM, Jeffrey Walton <noloa...@gmail.com> wrote: > On Mon, Jan 14, 2013 at 5:52 AM, Rahul Godbole <rahulmg1...@gmail.com> > wrote: > > > > 1) I am trying to build OpenSSL for FIPS. When I link to the below > > functions from an external program linking to libcrypto.a, I get a > linking > > error for them. When I grepped for the below functions in libcrypto.a and > > aes_core.o ( aes_core.c is where they are defined ), I got not results. I > > have built the whole thing with symbols. It looks like these functions > are > > not being compiled with fips on. I need them to be compiled > > > > AES_set_encrypt_key() > > AES_encrypt() > > AES_set_decrypt_key() > > AES_decrypt() > When I link against the archive (most often), I specify the full path > (no -l or -L flags): /usr/local/ssl/iphoneos/lib/libcrypto.a. > > The dynamic library requires some extra steps (re: fipsld), but I > don't need it. I don't believe you need it either since you are > linking against the archive. > Rahul: I tried linking to the static lib specifying the full path. I still have the same issue. Basically the symbols for the above functions are not there in my libcrypto.a > > 2) libssl.a/libssl.so and libcrypto.so are not being built in the OpenSSL > > fips build. I need it to be built. > I don't believe this is correct. Below is from my FIPS capable iOS gear: > > $ nm /usr/local/ssl/iphoneos/lib/libcrypto.a 2>/dev/null | egrep -i > "(AES_set|AES_encrypt|AES_decrypt)" > 000251a4 T _fips_aes_decrypt > 00024cdc T _fips_aes_encrypt > 00024ae0 T _fips_aes_set_decrypt_key > 00024700 T _fips_aes_set_encrypt_key > 0000000c T _AES_set_decrypt_key > 00000044 T _AES_set_encrypt_key > U _private_AES_set_decrypt_key > U _private_AES_set_encrypt_key > ... > 00000aa4 T _AES_decrypt > 000005dc T _AES_encrypt > 000003e0 T _private_AES_set_decrypt_key > 00000000 T _private_AES_set_encrypt_key > U _AES_decrypt > U _AES_encrypt > ... > Rahul: I see these #define for the above functions in fips/fipssyms.h #define AES_decrypt fips_aes_decrypt #define AES_encrypt fips_aes_encrypt #define AES_set_decrypt_key fips_aes_set_decrypt_key #define AES_set_encrypt_key fips_aes_set_encrypt_key I see the symbols fips_aes_encrypt, fips_aes_decrypt, fips_aes_set_decrypt_key, fips_aes_set_encrypt_key in libcrypto.a but still not the AES_*** symbols. When I try calling fips_aes_*** defines from the code using OpenSSL, I get a warnings "Implicit Declaration Of Function fips_aes_***". Since warning are not allowed in the product, I can't compile > When you build the FIPS Capable, it simply uses the FIPS Object Module > (which provides the validated cryptography). FIPS is transparent to > the user (me and you) after you build the FIPS Object Module. > > Confirm you: > > $ rm -rf openssl-1.0.1c/ > $ tar xzf openssl-1.0.1c.tar.gz > $ cd openssl-fips-1.0.1c/ > $ ./config fips <config options> > $ make <make options> > $ sudo make install > > The config options I use are: --openssldir, -no-sslv2, -no-sslv3, > -no-comp, -no-shared, -no-dso, -no-hw, -no-engines. I don't use make > option at the moment (or only as workarounds for a broken MAKEDEPEND). > > Rahul: Here is how I compiled. Sill have the same issue $ ./config fips $ make > Jeff > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
